As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
2. Mobile Application Security Threats through the Eyes of the Attacker
2
Our Speaker
Jason is the Director of Technical
Operations at Bugcrowd. He trains and
works with internal application security
engineers to triage and validate hardcore
vulnerabilities in mobile, web, and IoT
applications/devices. He also works with
Bugcrowd to improve the security
industry’s relations with the researchers.
Jason’s interests and areas of expertise
include mobile penetration testing, black
box web application auditing, network/
infrastructural security assessments, binary
reverse engineering, and static analysis.
Jason Haddix
@jhaddix
3. Mobile Application Security Threats through the Eyes of the Attacker
3
Agenda
o Mobile is everywhere
o Top Ten Mobile App Risks
What are they?
What are some examples?
o Focusing on the big 3
o Resources for security and dev teams
o Questions
4. Mobile Application Security Threats through the Eyes of the Attacker
4
Mobile is everywhere
Mobile is computing
• There are 1.2 billion mobile users. By 2018 that number
with be 5 billion.
• Mobile adoption is growing 8x faster than traditional web
applications.
• Mobile payments will exceed $90 Billion
by 2017
5. Mobile Application Security Threats through the Eyes of the Attacker
5
Mobile is everywhere
Attackers go where the users are
• It’s not just phones, tables, IoT devices, etc are all
“mobile” now.
• With that kind of adoption hackers have shifted to
these new surface areas.
6. Mobile Application Security Threats through the Eyes of the Attacker
6
2014 Draft
OWASP Mobile Top 10 Risks
M1 – Weak
Server Side
Controls
M10 – Lack
of Binary
Protections
M9 –
Improper
Session
Handling
M5 – Poor
Authorization
and
Authentication
M6 – Broken
Cryptography
M7 – Client
Side
Injection
M8 – Security
Decisions Via
Untrusted Inputs
M2 –
Insecure
Data
Storage
M3 –
Insufficient
Transport
Layer
Protection
M4 –
Unintended
Data
Leakage
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
8. Mobile Application Security Threats through the Eyes of the Attacker
8
Take a look at your mobile OS and ensure that none of the operating systems features leak private data.
Unintended Data Leakage
iOS:
• Logging (NSLog in production)
• Application Background Screenshot
• URL Caching
• Keyboard Press Caching
• Copy/Paste buffer Caching
• Photo Sharing
Android
• URL Caching (Both request and
response)
• Logging (log.d)
• Exported Content Providers
9. Mobile Application Security Threats through the Eyes of the Attacker
9
http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html
10. Mobile Application Security Threats through the Eyes of the Attacker
10
Pro-Tips for the mobile dev
Don’t Store or Store Securely
• If at all possible don’t store passwords or PII.
• There are several storage mechanisms for each platform.
Some are safer than others.
• iOS: When storage is necessary for small
data fragments, use the iOS keychain. In
addition store all strings in encrypted
format, even in the keychain. Never use
plists for data storage (NSUserDefaults)
• iOS: For larger data-sets, files, and
databases (coredata or sqlite), utilize
Apple’s Data Protection API with a
minimum of the designation
NSFileProtectionCompleteUnlessOpen
• Android: Use the Andriod Keystore
(crypted values) and avoid saving to
the external storage (Sdcard) as it is
a shared storage mechanism.
12. Mobile Application Security Threats through the Eyes of the Attacker
12
Poor TLS implementations
Common Vulnerabilities
13. Mobile Application Security Threats through the Eyes of the Attacker
13
Over the Wire
o When the application runs, it will be talking to multiple servers.
o It will also be using an untrusted network 50% of the time.
o Always use HTTPS, disable HTTP endpoints.
o Set appropriate cookies: secure, HTTPonly
o Use appropriate cipher strength for SSL
o Use appropriate certificate management calls
o Use Certificate pinning where possible
o https://github.com/iSECPartners/ssl-conservatory
14. Mobile Application Security Threats through the Eyes of the Attacker
14
Poor TLS implementations
Common Vulnerabilities
• Trusting any certificate it sees
• Allows expired certificates
• Allows trivial MiTM attacks
• Can connect to HTTPS once, and then fall back (mixed mode)
• ++
SSL Checklist for Penetration Testers
16. Mobile Application Security Threats through the Eyes of the Attacker
16
Highlights
Protect the Server
• The server side is the most often overlooked piece of the mobile
application, and therefore usually yields the most critical
vulnerabilities.
• Validate all input, use whitelisting approach for special/control
characters.
• While not a silver bullet, there are several open source WAF’s and
libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec
modules)
• Think about authentication API requests and how they can be
abused.
• Keep webserver software and framework updated. (this includes XML
parsers ;)
• If the backend is WS based, return the proper content type.
• Use POST instead of GET where possible.
• "Cache-Control : no-cache, no-store“ is important
17. Mobile Application Security Threats through the Eyes of the Attacker
17
OWASP Proactive Controls
1: Parameterize Queries
2: Encode Data
3: Validate All Inputs
4: Implement Appropriate Access Controls
5: Establish Identity and Authentication Controls
6: Protect Data and Privacy
7: Implement Logging, Error Handling and Intrusion Detection
8: Leverage Security Features of Frameworks and Security Libraries
9: Include Security-Specific Requirements
10: Design and Architect Security In
19. Mobile Application Security Threats through the Eyes of the Attacker
19
Proxy the application during QA testing
to audit for data leakage
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
20. Mobile Application Security Threats through the Eyes of the Attacker
20
Check for unencrypted files
https://github.com/dmayer/idb
21. Mobile Application Security Threats through the Eyes of the Attacker
21
Data storage, protection, and testing on the device
iOS Developer
ü iOS: Data Protection
Classes
ü iOS: Encrypted Core Data
guide
ü iOS Security Guide
iOS Tester
ü idb iOS assessment tool
ü OWASP iOS Testing Cheat
sheet
Android Developer
ü Android: CERT Secure Coding
Practices for Android
ü Jssec.org Secure Android
Coding Manual
Android Tester
ü Android Debug Bridge (adb)
ü Drozer Android Toolkit
22. Mobile Application Security Threats through the Eyes of the Attacker
2222
Key Takeaways
1. Start with identifying and fixing the “top 3”
2. Keep a well trained and staffed
development and assessment team
3. Utilize provided resources
23. Mobile Application Security Threats through the Eyes of the Attacker
23
QUESTIONS?
bugcrowd.comjhaddix@bugcrowd.com @jhaddix